Amus.A

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

Amus was found on 5th of August 2004. It's a simple massmailer written in Visual Basic.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Amus is packed with Yoda. It's packed size is 51782.

Once executed it creates a a mutex named "Masum". In order to avoid being run more than once. And copies itself to

C:\masum.exe  

It drops copies of itself in the Windows folder with names from:

Messenger.exe  My_Pictures.exe  Meydanbasi.exe  Pide.exe  Pire.exe  Cekirge.exe  Ankara.exe  Adapazari.exe  Anti_Virus.exe  KdzEregli.exe  

A registry key will be set to point to one of the dropped files:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]  "Microzoft_Ofiz" = "C:\%WinDir%\KdzEregli.exe"  

Where %WinDir% is the main Windows folder.

Spreading in e-mails

It send emails with subject:

Listen and Smile  

And body:

Hey. I beg your pardon. You must listen.  

The attached file will be named:

masum.exe  
Payload

When the virus is run, it uses the Windows Speech Engine to speak the following message:

How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa.   You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.  

To listen to what the message sounds like, listen to this audio file:

https://www.f-secure.com/weblog/archives/amus.wav

If the day of the month is 10th or 23rd, the worm will attempt to delete all INI files from the Windows folder.

If the day of the month is 2nd, 15th or 17th, the worm will attempt to delete all DLL files from the Windows folder.

Detection

Detection for Amus.A worm is available since the following FSAV updates:

Detection Type: PC

Database: 2004-08-05_02

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info